18 Jan 2014
Whitelisting CloudFlare in Nginx
I recently moved from Apache2 to Nginx as my web server of choice because of its low memory footprint so I can run it on a very small Digital Ocean Droplet (thats a referral link, here’s a direct link https://www.digitalocean.com)
CloudFlare is a Content Delivery Network (CDN) provider and has a free tier, which is great to protect my lttle droplet. And to protect it even more you can white list CloudFlares IP’s.
To do this, create a file that allows all of CloudFlare’s IPs. You can then include it into your nginx config. If you have multiple sites you can include them in each or globally or per site.
Create /etc/nginx/cloudflare-allow.conf
Then in your sites-available/site.com
add:
Thats it, now when access the page via your direct
hostname, it will give a 403 Forbidden. Note this is still a hit to origin and nginx will process it. I did this approach as I have some other hosts not in front of CloudFlare.
Alternatively you can use iptables to drop all packets not from CloudFlare https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-
Links:
More info on ngx_http_access_modlue which provides the allow/deny: http://nginx.org/en/docs/http/ngx_http_access_module.html
Setting up virtual hosts in nginx: https://www.digitalocean.com/community/articles/how-to-set-up-nginx-virtual-hosts-server-blocks-on-ubuntu-12-04-lts--3
Want to contribute to this article? Edit this post on Github!